DPDP Rules: Stakeholder Concerns Rise Over Draft Data Protection Rules

On 14 January, India’s Minister for Electronics and Information Technology, Ashwini Vaishnaw, convened a pivotal industry consultation in New Delhi to discuss the draft Digital Personal Data Protection (DPDP) Rules. The meeting, the first in a series of planned engagements, represents a crucial step in refining the proposed regulations ahead of their finalisation.

Vaishnaw reaffirmed the government’s commitment to engaging a diverse range of stakeholders, highlighting plans for extensive consultations to ensure all perspectives are considered.

Key concerns discussed during the meeting included consent mechanisms and data localisation requirements, with industry representatives voicing worries about potential impacts on innovation and the digital economy. Vaishnaw assured participants that future sessions would focus on balancing robust regulations with the need for technological growth.

Around 350 stakeholders attended the consultation, offering valuable suggestions. Sharing his thoughts on platform X, Vaishnaw described the inputs as “excellent” and confirmed that further “focused discussions” are planned to refine the draft rules.

The Ministry of Electronics and Information Technology (MeitY) recently published draft rules for the Digital Personal Data Protection Act (DPDPA), seeking public feedback. However, many stakeholders have raised concerns about the limited consultation period and are requesting an extension. Feedback is currently being accepted until 18 February.

Sources familiar with the discussions revealed that during the meeting, Vaishnaw suggested the consultations could be extended by up to 15 days to allow for more thorough discussions and address all stakeholder concerns before finalising the rules.

The consultation, held in New Delhi, was attended by a wide range of stakeholders including representatives from social media platforms, e-commerce companies, banks, payment firms, insurance providers, telecom operators and large conglomerates. Chaired by Vaishnaw and attended by IT Secretary S Krishnan, the session focused on the DPDP Rules, an essential step in implementing the DPDP Act, which was officially notified in August 2023.

Several key issues were raised during the consultation, particularly regarding the use of virtual tokens to obtain Virtual Private Consent (VPC) from users under 18. Participants sought clarification on how these tokens would work in practice, especially in protecting minors' interests.

Additionally, concerns were voiced about the impact on children’s digital experiences. Some participants expressed fears that strict restrictions on processing children’s data could result in irrelevant content for young users. Others worried that these regulations might increase customer acquisition costs for MSMEs and content creators targeting children, as the limitations on targeted advertising would likely reduce marketing efficiency.